Venice’s access fee system, designed to regulate the influx of tourists to the historic city and the smaller islands in the lagoon, has been ruled illegitimate by the Garante (in its August 4, 2025 ruling) for the protection of personal data. The authority found that the way the municipality collects and manages personal data violates the basic principles established by the European Data Protection Regulation (GDPR). The measure already provides for a penalty of 10,000 euros and leaves open the possibility of much larger fines, up to 20 million euros, in case of serious and persistent violations.
The proceedings had been initiated following reports and press reports, which had highlighted the critical nature of the mandatory registration required to obtain the QR-code needed to gain access to the city. The procedure affected not only tourists, but also categories exempted from payment: workers, commuter students, temporary residents, individuals with disabilities, people visiting family members who were residents or in prison, citizens engaged in medical appointments, and numerous other cases. A volume of information that, according to the Guarantor, generated prior collection that was disproportionate to the stated purposes. Indeed, the Authority pointed out that the online registration involved the collection of data that was not strictly necessary, such as reasons for travel and details related to the personal and family life of the individuals concerned. Information that could have been provided only in case of contextual control, through self-certifications or documents. Instead, processing organized in this way resulted in a massive collection of data with limited actual use, given that only a small portion would be verified later by municipal offices.
A particularly critical point involved the so-called computer totems, placed at strategic points in the city to enable registration. During a Guardia di Finanza inspection, it was found that browser settings could be changed by users, with the risk of making previously entered data visible. Although the downloadable files contained only initials and validity date, the Garante clarified that even this information, when combined with other elements, could allow indirect identification of users. The configuration was therefore deemed inadequate from a security standpoint.
Another important element is the storage of data. Early registration on the municipal portal meant that personal information was stored even months before actual access to the city. This, according to the Authority, contravenes the GDPR’s principle of time limitation, which requires data to be stored only as long as strictly necessary for the stated purposes. During the discussion with the Guarantor, the municipality therefore introduced some changes to the regulation, expanding the category “Other exemptions” to reduce the collection of specific information and simplifying the procedures for residents, disabled people and guests of accommodation facilities. In any case, the corrective measures were considered partial and not sufficient to eliminate the underlying critical issues. The main problem, according to the Garante, remains the disproportion between the amount of data collected and the tax purposes.
Another issue concerns the use of data for purposes other than tax purposes. Municipal regulations also linked registration to the monitoring of tourist flows and the planning of public services. In any case, daily attendance thresholds were never set, an element that would have justified such broad treatment. In the absence of such parameters, the prior collection of information was considered devoid of real necessity. The Garante therefore ruled that the processing of data by the City of Venice was carried out unlawfully, violating the principles of lawfulness, fairness, minimization, proportionality and confidentiality. Corrective measures have been issued: the Municipality will have to reduce the categories obligated to pre-registration, suspend the collection of residents’ guest data, and strengthen the security measures of the portal and the devices used.
In addition to ordering an adjustment of procedures, the measure establishes a fine of 10,000 euros if the dispute is not settled. But the most serious risk is the application of Article 83 of the GDPR, which provides for penalties of up to 20 million euros, or up to 4 percent of the responsible entity’s annual turnover, for violations of fundamental principles regarding personal data. The episode raises a central question: how to reconcile the management of tourist flows with the protection of the fundamental rights of citizens and travelers.
 |
| Venice, the Guarantor: violated privacy with entry ticket. Fine of 10 thousand to 20 million |
Warning: the translation into English of the original Italian article was created using automatic tools. We undertake to review all articles, but we do not guarantee the total absence of inaccuracies in the translation due to the program. You can find the original by clicking on the ITA button. If you find any mistake,please contact us.
